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CLAIMS 

1. A method of transmitting information between a first computer and a second computer, 
mprising the steps of: 

(1) embedding in each bf a plurality of data packets a discriminator value that periodically 
changes between successive dam packets, wherein each discriminator value is not based solely on 
the value of other data in each data packet; 

(2) transmitting the plurality of data packets between the first computer and the second 
computer; 

(3) receiving the transmitted data packets at the second computer; and 

(4) for each received data packet, comparing the discriminator value to a set of valid 
discriminator values and, in response to detecting a match, accepting the received data packet for 
further processing, and otherwise rejecting the received data packet. 

2. The method of claim 1, wherein step (1) comprises the step of using an Internet 
Protocol address in an Int^rnetProtocol header as the discriminator value, wherein the Internet 
Protocol address is used to route the data packets over the Internet. 

3. The method of claim^ fffih Qr comprising the step of changing in value only part of 
the Internet Protocol addressesbenroeji successive packets. 

4. The method of claim 1, fifit^er comprising the step of using as the discriminator value a 
ata field external to an IntemW?rotocol header of each data packet. 

5. The method of claim V wherein steps (1) and (4) are performed in a data link layer of 
an ISO standard communication protocol. 

6. The method of claim 1, wherein step (1) comprises the step of using a Media Access 
Control (MAC) hardware addressas"tHe discriminator value, wherein the MAC hardware address 
is used to route the data packets on a loaal area network. 

7. The method of claim 1, whereimstep (1) comprises the step of using a different 
discriminator value for each successive packe 

8. The method of claim 1, wherein stejk(4) comprises the step of comparing each 
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discriminator value to a window^of valid discriminator values, wherein the window is wide 
enough to permit comparison to only a small number of potentially valid discriminator values, and 
further comprising the step of moving the window as successive data packets are received. 

9. The method of claim 1, further comprising the step of sharing between the first 
5 computer and the second computer information sufficient to generate the set of valid 

discriminator values. ^ 

10. The method of claim 1, further comprising the step of transmitting from the first 
computer to the second computeranalgorithm for selecting successively valid discriminator 
values. 

10 11. The method of claim 1, where&n step (4) comprises the step of using a presence vector 

to determine whether to accepFeach data packet. 

12. The method of claim 1, whereimstep (4) comprises the step of using a hashing 
function to determine whether th^iscriminatpr value is valid. 

13. The method of claim 1, further comprising the step of transmitting a synchronization 




^ 15 request between the first computer and the second computer, wherein the second computer uses 
jf the synchronization request to maintain synchroijization of valid discriminator values. 

m 14. The method of claim 13, further comprising the step of, in response to failure to 

kf\ \ 

t P receive a synchronization acknowledgement from ^he second computer, shutting off transmission 

*P of data packets to the second computer. 

20 15. The method of claim 13, further comprising the step of embedding a synchronization 

value in each data packet that permits the second computer to re-establish synchronization in a set 

of potentially valid discriminator values. 

16. The method of claim 13, further comprising &e step of moving a window of valid 
discriminator values in the second computer in response to\feceiving the synchronization request 

25 from the first computer. ^ — 

17. The method of claim 1, wherein step (1) comprised the steps of using an Internet 
Protocol source address in an Internet Protocol header as a first part of the discriminator value 
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and using an Internet Protocol Destination address in the Internet Protocol header as a second part 
of the discriminator value, wherein the source and destination addresses are used to route each 
data packet over the Internet. 

18. The method of claim 17, further comprising the steps of: 
5 embedding a plurality of the data packets into a frame; and 

embedding a source and destination hardware address in the frame, wherein the source 
and destination hardware address a\e quasi-randomly generated and used to route the frame on a 
network. 

19. The method of claim 1, ftirther comprising the step of maintaining in the first 
10 computer a first transmit table^and~a~flrst receive table, and maintaining in the second computer a 

second transmit table and a second receive table, 

wherein each transmit table comprises a list of valid discriminator values that are to be 
inserted into outgoing data packets; 

wherein each receive table comprises a list of valid discriminator values that are to be 
15 compared against incoming data packets; W 

wherein the first transmit table in thfe first computer matches the second receive table in 
the second computer; and wherein the first receive table in the first computer matches the second 
transmit table in the second computer. 

20. A method of transmitting data packets over a network comprising a plurality of 
20 computers connected to each other through a plurality of physical transmission paths, the method 

comprising the steps of: 

(1) for each of the plurality of data packets! randomly selecting one of the plurality of 
physical transmissions paths through the plurality ofcomputers; and 

(2) transmitting each data packet over the randomly selected physical transmission path. 
25 21. The method of claim 20, wherein step (1) cbrhprises the steps of: 

(a) selecting a path defined by Vpair of computer^ the network; 

(b) selecting valid source and destination addresses associated with the selected path; and 
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(c) inserting the valid sourcesand destination addresses into the data packet before 
transmitting it over the selected path. 
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22. The method of claik 21, wherein step (1) comprises the step of avoiding selection of 
a path that is not operational. 

23. A system comprising: 1 
a first computer that embeds into each of a plurality of data packets a discriminator value 

that periodically changes between successive data packets, wherein each discriminator value is not 
based solely on the value of other dam in each data packet; and 

a second computer coupled to the first computer through a network, 
wherein the first computer transmits the plurality of data packets to the second computer, 

and 

wherein the second computer receives the transmitted data packets, compares the 
discriminator value in each received data packet to a set of valid discriminator values and, in 
response to detecting a match, accepts the received data packet for further processing, and 
otherwise rejects the received data packet. \ 

24. The system of claim 23, wherein the first computer embeds into each of the plurality 
of data packets an Internet Protocdaddress in an Internet Protocol header as the discriminator 
value, wherein the Internet Protocol address is tjsed to route the data packets over the Internet. 

25. The system of claim 24, wherein the computer changes in value only part of the 
Internet Protocol addresses between-successive paf K#s. 

26. The system of claim 23, wherein the first computer embeds the discriminator value in 
a data field external to an Intern^tProtdcoi header ofieach data packet. 



27. The system of claim 23, wherein the first computer embeds each discriminator value 
25 in a first data link layer of an ISO-standard communicatW protocol, and wherein the second 
computer compares each discriminator value in a second dak^ link layer of the ISO standard 
communications protocol. 
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28. The system of claim 231 wherein the first computer embeds a Media Access Control 
(MAC) hardware address as the-discriminator value, wherein the MAC hardware address is used 
to route the data packets on a local area network. 



5 29. The system of claim 23, ^herein the first computer embeds a different discriminator 

value for each successive packet.-- 

30. The system of claim 23, wherein the second computer compares each discriminator 
f\/^ value to a window of valid discriminator values, wherein the window is wide enough to permit 
^ * comparison to only a small number of potentially valid discriminator values, and wherein the 

10 window is moved as successive data packets are received. 

31. The system of claim 23, wherein the first and second computers share common 
information sufficient to generatgjthe^set of valid discriminator values. 

32. The system of claim 23, wherein the first computer transmits to the second computer 
an algorithm for selecting successively valid discriminator values. 

15 33 . The system of claim 23, wherein the second computer uses a presence vector to 

determine whether to accept eachdata packet \ 

34. The system of claim 23, wherein the second computer uses a hashing function to 
determine whether the discriminator value is valic 

35. The system of claim 23, wherein the first computer transmits to the second computer 
20 a synchronization request, whereuLthe second computer uses the synchronization request to 

maintain synchronization of valid discriminator values. 

36. The system of claim 35, wherein the first computer, in response to failure to receive a 
synchronization acknowledgementjrom the second computer, shuts off transmission of data 
packets to the second computer. 

25 37. The system of claim 35, wherein the first coVnputer embeds a synchronization value in 

each data packet that permits thesecond computer to re-establish synchronization in a set of 
potentially valid discriminator values. 
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38. The system of claim 35, wherein the second computer moves a window of valid 
discriminator values in responsetto-receiving the synchronization request from the first computer. 

39. The system of claim 23, wherein the first computer embeds an Internet Protocol 
source address in an Internet Protocol header as a first part of the discriminator value and embeds 

5 an Internet Protocol destination address in the Internet Protocol header as a second part of the 
discriminator value, wherein the squrce and destination addresses are used to route each data 
packet over the Internet. 

40. The system of claim 391 wherein the first computer embeds a plurality of the data 
packets into a frame and embedsaTfeurce and destination hardware address in the frame, wherein 

10 the source and destination hardware\address are quasi-randomly generated and used to route the 
frame on a network. 

41. The system of claim 23, 



wherein the first computercomprises a first transmit table and a first receive table, 
wherein the second computer ibmprises a second transmit table and a second receive 



15 table, 

wherein each transmit table comprises a list of valid discriminator values that are to be 
inserted into outgoing data packets, ^ 

wherein each receive table comprises a list of valid discriminator values that are to be 
compared against incoming data packets, \ 
20 wherein the first transmit table in the first computer matches the second receive table in 

the second computer, and ^ 

wherein the first receive table in the first computer matches the second transmit table in 
the second computer. \ 

42. A first computer coupled to a network comprising a plurality of computers connected 
25 to each other through a plurality of physical transmission paths, 

wherein the first computer generates a plurality of data packets for transmission acrosstiie 
network; and 
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wherein the first computen for each of the plurality of data packets, randomly selects one 
of the plurality of physical transmissions paths through the plurality of computers and transmits 
each data packet over the randomly selected physical transmission path. 

43. The first computer orclaim 42, wherein the first computer: 
5 (a) selects a path defined by>a oak of computers in the network; 

(b) selects valid source and destiiMion addresses associated with the selected path; and 

(c) inserts the valid source and qpstination addresses into the data packet before 
^k. transmitting it over the selected path. 
Al 44. The first of claim 43, wherein the first computer avoids the step of avoiding selection 



10 of a path that is not operational^-^ 



^ l^45. A system comprising in combination: 

a transmitting node that generates pseudo-random discriminator values and embeds the 
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pseudo-random discriminator values into data packets for transmission; and 

a receiving node that receivesydata packets transmitted by the transmitting node, wherein 
the receiving node, for each received packet, extracts the pseudo-randomly generated 
discriminator value, compares it to a set of potentially valid discriminator values shared between 
the transmitting node and the receiving noee and, in response to detecting a match, accepts the 
data packet, and otherwise discards the packet. 

46. The system of claim 45, wherein the receiving node maintains a window of valid 
discriminator values, wherein the Window is moved in response to detecting a match. 

47. The system of claim 45, wherein each pseudo-randomly generated discriminator value 
comprises a valid Internet Protocol address that ^assigned to the receiving node. 

48. The system of claim 45, wherein each pseudo-randomly generated discriminator value 
comprises a valid Media Acc^ss"Control (MAC) hardware address that is assigned to the 
receiving node. 

49. The system of claim 45, wherein the transmuting node generates a different pseudo- 
randomly generated discriminator value for each successive data packet. 
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50. A receiving computer that receives data packets from a transmitting computer, 
wherein the receiving compuW comprises computer instructions that execute the steps of: 

(1) for each received d^ta packet, extracting a discriminator value inserted by the 
transmitting computer; 

(2) comparing the extracted discriminator value to a set of valid discriminator values on 
the basis of information previously shared with the transmitting computer; and 

(3) in response to detecting a match in step (2), accepting the received data packet for 
further processing and otherwise rejecting the data packet. 

5 1 . The receiving computer of claim 50, wherein the receiving computer further 
comprises computer instructions that exfraefasthe discriminator value an Internet Protocol 
address from a header portion of each da\a packet. 

52. The receiving compmer^f clann 50, wherein the receiving computer maintains a 
window of valid discriminator valu^s\\^ierein the window is moved in response to detecting 
matches. 

53. The receiving computer of claim 50, wherein the receiving computer receives 
information from the transmitting computer sufficient to establish the set of valid discriminator 
values. 

54. A method of transmitting data from a first computer to a second computer, the data 
comprising a plurality of data bytes arranged in a particular order, the method comprising the 
steps of: 

(1) establishing in the first ComputerLand second computer a common algorithm that 
determines how data will be randomly dismbWl) across a plurality of data packets; 



(2) in the first computer, randomly Mis 
plurality of data packets according to the cor 

(3) transmitting the plurality of data^pi 
computer; and 

(4) in the second computer, extracting thfe randomly distributed plurality of data bytes 



iting the plurality of data bytes across the 
\on algorithm; 

:kets from the first computer to the second 
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om the plurality of data packere and reassembling them into the particular order according to the 
common algorithm. \ 

55. The metnod of cjaim 1, wherein step (3) comprises the step of transmitting each of 
the plurality of dat/packets across a different path in a computer network. 

56. A system coriwmsing: 

a first computer including an algorithm that establishes a random distribution pattern for 
allocating data across a plurality of data packets, wherein the first computer randomly distributes 
data bytes from a data source across the plurality of data packets according to the random 
distribution pattern and transmits the plurality of data packets across a network; and 

a second computer coupled to the first computer across the network, wherein the second 
computer receives the plurality of aaWpafckets from the first computer, extracts the randomly 
distributed data bytes, and reassembles tram into their original order according to the algorithm. 

57. The system of claim 56, wherein the first computer transmits each of the plurality of 
data packets across a different path m4ll»fnetwork. 

58. A method of securely transiting a data packet between a sending computer and a 
Receiving computer, comprising the steps < 

(1) encrypting the data packet using V session key known to the sending computer and the 
receiving computer, but not known by intermediate computers between the sending computer and 
the receiving computer; 

(2) adding a packet header that identifies^he data packet to the data packet encrypted in 
step (1); 

(3) encrypting the combined packet header *tad encrypted data packet created in step (2) 
using a link key known to each of a plurality of intermediate computers arranged between the first 
computer and the second computer; 

(4) adding a cleartext packet header to route the^acket encrypted in step (3); and 

(5) transmitting the packet created in step (4). 

59. The method of claim 58, further comprising theVeps of: 
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(5) at each intermediate computer, decrypting the packet received from a previous 
computer and decrypting it using the link key; 

(6) re-encrypting the packet using a different link key known to a next intermediate 
computer in the network; 

jacket header to route the packet re-encrypted in step (6); and 
(8) transmitting the pabket created in step (7) to the next intermediate computer. 

60. The method of claW59, further comprising the step of, at the receiving computer, 
decrypting the packet using the session key. 

61. A method of transmitting data over a computer network, comprising the steps of: 

at an originating terminal connected to the computer network, receiving a stream of data, 
and forming first level data packet payloads therefrom; 

identifying a network destination address for the stream of data and adding first level 
headers containing data representing thwietwork destination address to each of the data packets 
to form a first level packet; 

packets to form second level packet payloads; 
loads headers containing as destination addresses, 
addresses of at least one intermediate router connecting the originating terminal to the destination 
to form second level packets; 

sending the second level packets tb the at least one intermediate router; 
at the at least one intermediate router, decrypting at least one of the second level payloads 
and determining from the first level headers W destination address, forming new packets 
containing at least the first level packet payloads, and attaching headers thereto containing the 
destination address, whereby a true destination of the data stream is concealed behind a layer of 
encryption for at least a portion of its travel over the network. 

62. The method of claim 61, wherein the\step of attaching includes determining the at least 
one intermediate router by randomly selecting from a group of intermediate routers. 

63. The method of claim 61, wherein the step of determining from the first level headers 



encrypting each of the first le\ 
attaching to the second level packet, 
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the destination address includes converting the data representing the network destination address 
with the network destinatipn address by means of correlation data stored on the intermediate 
router. 

64. The method of ilaim 61, further comprising the step of including in one of the first 
and second layer headers, an indicator of a number of hops to be made by the first level packet 
before arriving at the networia destination, the at least one intermediate router decrementing the 
indicator of a number of hops and sending the first level packet to another intermediate router 
responsively to a value of the indicator of a number of hops. 

65. A method of routing Wckets on a packet network, comprising the steps of: 
block-encrypting, with a session keyl message data to form payloads; 

dividing an encrypted block resulungltom the block-encrypting into at least two data 



payloads such that interleaving po&ioi\s/of data rjesulting from the block-encrypting step are 
among the at least two data payloads; 

encrypting, with a link key, qacli of th^krte^st two data payloads, together with 
destination data identifying a final destin 



combining, with a first payload re 
address indicating a first intermediate dest 



! packets; 

l the last step of encrypting, a first hop 
/address and transmitting a first packet resulting 
thereby to the first intermediate destinafioA&dclress; 

combining, with a second payload resulting from the last step of encrypting, a second hop 
address indicating a second intermediate aestination address and transmitting a second packet 
resulting thereby to the second intermediate destination address. 

66. The method of claim 65, further comprising the steps of: 
combining, in the first packet^a first nop counter; 

at a terminal coinciding with the first intermediate destination address, determining, 
responsively to the first hop counter, to send the first packet to the final destination address; and 

at the terminal coinciding with the first intermediate destination address, decrypting with 
the link key the first payload to expose the final destination address and sending the first packet to 
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he final destination address, responsively to the step of determining. 
67. The method of claim 65, further comprising the steps of: 
combining, in the secdnd packet, a second hop counter; 
at a terminal coinciding the second intermediate destination address, determining, 
responsively to the second hop fcburfterjto send the first packet to the final destination address; 

at the terminal coinciding\With/the second intermediate destination address, decrypting 
with the link key the second payldlui to expose the final destination address and sending the 
second packet to the final destination address, responsively to the last step of determining. 
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